Overview

overview

10

Static

static

d1d13d5e09...50.exe

windows7_x64

10

d1d13d5e09...50.exe

windows10-2004_x64

1

Analysis

  • max time kernel
    132s
  • max time network
    172s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    08-05-2022 06:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d1d13d5e097991e4aa47d7ca7f27e8ab86d868a2d07c89794e34fed6b9155650.exe

  • Size

    516KB

  • MD5

    0021da726a32f0d55f2a81958da26ad4

  • SHA1

    28acebd920aecd34689f18b261b407237886ba03

  • SHA256

    d1d13d5e097991e4aa47d7ca7f27e8ab86d868a2d07c89794e34fed6b9155650

  • SHA512

    fa6a07c2b093d71a16aea4ffdc4caeca79bb64bd7136f814b682d57152859f4b8004693e3755b58e080d4d2ae3326555f67d03e5803964f5e07e0093c79d15fd

Score
10/10
taurusspywarestealertrojan

Malware Config

Signatures

  • Taurus Stealer

    Taurus is an infostealer first seen in June 2020.

    trojanstealertaurus
  • Taurus Stealer Payload 7 IoCs
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d1d13d5e097991e4aa47d7ca7f27e8ab86d868a2d07c89794e34fed6b9155650.exe
    "C:\Users\Admin\AppData\Local\Temp\d1d13d5e097991e4aa47d7ca7f27e8ab86d868a2d07c89794e34fed6b9155650.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1760
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1300
      • C:\Windows\SysWOW64\cmd.exe
        /c timeout /t 3 & del /f /q C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:872
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 3
          4⤵
          • Delays execution with timeout.exe
          PID:1416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/872-72-0x0000000000000000-mapping.dmp
    Download
  • memory/1300-66-0x0000000000400000-0x0000000000437000-memory.dmp
    Filesize

    220KB

    Download
  • memory/1300-64-0x0000000000400000-0x0000000000437000-memory.dmp
    Filesize

    220KB

    Download
  • memory/1300-71-0x0000000000400000-0x0000000000437000-memory.dmp
    Filesize

    220KB

    Download
  • memory/1300-59-0x0000000000400000-0x0000000000437000-memory.dmp
    Filesize

    220KB

    Download
  • memory/1300-58-0x0000000000400000-0x0000000000437000-memory.dmp
    Filesize

    220KB

    Download
  • memory/1300-61-0x0000000000400000-0x0000000000437000-memory.dmp
    Filesize

    220KB

    Download
  • memory/1300-63-0x0000000000400000-0x0000000000437000-memory.dmp
    Filesize

    220KB

    Download
  • memory/1300-69-0x0000000000400000-0x0000000000437000-memory.dmp
    Filesize

    220KB

    Download
  • memory/1300-67-0x000000000041CC20-mapping.dmp
    Download
  • memory/1416-73-0x0000000000000000-mapping.dmp
    Download
  • memory/1760-54-0x0000000001030000-0x00000000010B2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1760-56-0x0000000000440000-0x000000000047A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1760-57-0x00000000004C0000-0x00000000004D2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1760-55-0x00000000752B1000-0x00000000752B3000-memory.dmp
    Filesize

    8KB

    Download